Lucene search
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT-RHSA-2024-2987.NASLHistoryMay 23, 2024 - 12:00 a.m.
RHEL 8 : python27:2.7 (RHSA-2024:2987)
2024-05-2300:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
2
rhel 8
python 2.7
vulnerabilities
rhsa-2024:2987
security fix
pypa-setuptools
use after free
xml external entity
python-urllib3
jinja2
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.5 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
77.5%
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2987 advisory.
Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and PostgreSQL.
Security Fix(es):
* pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py (CVE-2022-40897)
* python: use after free in heappushpop() of heapq module (CVE-2022-48560)
* python: XML External Entity in XML processing plistlib module (CVE-2022-48565)
* python-urllib3: Cookie request header isn't stripped during cross-origin redirects (CVE-2023-43804)
* jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.10 Release Notes linked from the References section.
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2024:2987. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(197745);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/03");
script_cve_id(
"CVE-2022-40897",
"CVE-2022-48560",
"CVE-2022-48565",
"CVE-2023-43804",
"CVE-2024-22195"
);
script_xref(name:"RHSA", value:"2024:2987");
script_name(english:"RHEL 8 : python27:2.7 (RHSA-2024:2987)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates for python27:2.7.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as
referenced in the RHSA-2024:2987 advisory.
Python is an interpreted, interactive, object-oriented programming language that supports modules,
classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a
stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and
PostgreSQL.
Security Fix(es):
* pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py (CVE-2022-40897)
* python: use after free in heappushpop() of heapq module (CVE-2022-48560)
* python: XML External Entity in XML processing plistlib module (CVE-2022-48565)
* python-urllib3: Cookie request header isn't stripped during cross-origin redirects (CVE-2023-43804)
* jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and
other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.10 Release Notes
linked from the References section.
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/updates/classification/#moderate");
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.10_release_notes/index
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?99ff6172");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2158559");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2240059");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2242493");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2249755");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2257854");
# https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2987.json
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?23c12cdb");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2024:2987");
script_set_attribute(attribute:"solution", value:
"Update the RHEL python27:2.7 package based on the guidance in RHSA-2024:2987.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-48565");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(79, 185, 200, 416, 611);
script_set_attribute(attribute:"vendor_severity", value:"Moderate");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/31");
script_set_attribute(attribute:"patch_publication_date", value:"2024/05/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/23");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:Cython");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:PyYAML");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:babel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:numpy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pytest");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-PyMySQL");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-attrs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-backports");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-backports-ssl_match_hostname");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-chardet");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-coverage");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-dns");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-docs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-docutils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-funcsigs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-idna");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-ipaddress");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-jinja2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-lxml");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-markupsafe");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-mock");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-nose");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-nose-docs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-pluggy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-psycopg2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-psycopg2-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-py");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-pygments");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-pymongo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-pysocks");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-pytest-mock");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-requests");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-setuptools_scm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-sqlalchemy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-sqlalchemy-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-urllib3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-virtualenv");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-wheel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-Cython");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-PyMySQL");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-attrs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-babel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-backports");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-backports-ssl_match_hostname");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-bson");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-chardet");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-coverage");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-dns");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-docs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-docs-info");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-docutils");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-funcsigs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-idna");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-ipaddress");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-jinja2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-lxml");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-markupsafe");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-mock");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-nose");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-numpy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-numpy-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-numpy-f2py");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-pip");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-pip-wheel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-pluggy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-psycopg2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-psycopg2-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-psycopg2-tests");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-py");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-pygments");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-pymongo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-pymongo-gridfs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-pysocks");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-pytest");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-pytest-mock");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-pytz");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-pyyaml");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-requests");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-rpm-macros");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-scipy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-setuptools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-setuptools-wheel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-setuptools_scm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-six");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-sqlalchemy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-test");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-tkinter");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-urllib3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-virtualenv");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-wheel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python2-wheel-wheel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pytz");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:scipy");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var appstreams = {
'python27:2.7': [
{
'repo_relative_urls': [
'content/dist/rhel8/8.10/aarch64/appstream/debug',
'content/dist/rhel8/8.10/aarch64/appstream/os',
'content/dist/rhel8/8.10/aarch64/appstream/source/SRPMS',
'content/dist/rhel8/8.10/ppc64le/appstream/debug',
'content/dist/rhel8/8.10/ppc64le/appstream/os',
'content/dist/rhel8/8.10/ppc64le/appstream/source/SRPMS',
'content/dist/rhel8/8.10/s390x/appstream/debug',
'content/dist/rhel8/8.10/s390x/appstream/os',
'content/dist/rhel8/8.10/s390x/appstream/source/SRPMS',
'content/dist/rhel8/8.10/x86_64/appstream/debug',
'content/dist/rhel8/8.10/x86_64/appstream/os',
'content/dist/rhel8/8.10/x86_64/appstream/source/SRPMS',
'content/dist/rhel8/8.6/aarch64/appstream/debug',
'content/dist/rhel8/8.6/aarch64/appstream/os',
'content/dist/rhel8/8.6/aarch64/appstream/source/SRPMS',
'content/dist/rhel8/8.6/ppc64le/appstream/debug',
'content/dist/rhel8/8.6/ppc64le/appstream/os',
'content/dist/rhel8/8.6/ppc64le/appstream/source/SRPMS',
'content/dist/rhel8/8.6/s390x/appstream/debug',
'content/dist/rhel8/8.6/s390x/appstream/os',
'content/dist/rhel8/8.6/s390x/appstream/source/SRPMS',
'content/dist/rhel8/8.6/x86_64/appstream/debug',
'content/dist/rhel8/8.6/x86_64/appstream/os',
'content/dist/rhel8/8.6/x86_64/appstream/source/SRPMS',
'content/dist/rhel8/8.8/aarch64/appstream/debug',
'content/dist/rhel8/8.8/aarch64/appstream/os',
'content/dist/rhel8/8.8/aarch64/appstream/source/SRPMS',
'content/dist/rhel8/8.8/ppc64le/appstream/debug',
'content/dist/rhel8/8.8/ppc64le/appstream/os',
'content/dist/rhel8/8.8/ppc64le/appstream/source/SRPMS',
'content/dist/rhel8/8.8/s390x/appstream/debug',
'content/dist/rhel8/8.8/s390x/appstream/os',
'content/dist/rhel8/8.8/s390x/appstream/source/SRPMS',
'content/dist/rhel8/8.8/x86_64/appstream/debug',
'content/dist/rhel8/8.8/x86_64/appstream/os',
'content/dist/rhel8/8.8/x86_64/appstream/source/SRPMS',
'content/dist/rhel8/8.9/aarch64/appstream/debug',
'content/dist/rhel8/8.9/aarch64/appstream/os',
'content/dist/rhel8/8.9/aarch64/appstream/source/SRPMS',
'content/dist/rhel8/8.9/ppc64le/appstream/debug',
'content/dist/rhel8/8.9/ppc64le/appstream/os',
'content/dist/rhel8/8.9/ppc64le/appstream/source/SRPMS',
'content/dist/rhel8/8.9/s390x/appstream/debug',
'content/dist/rhel8/8.9/s390x/appstream/os',
'content/dist/rhel8/8.9/s390x/appstream/source/SRPMS',
'content/dist/rhel8/8.9/x86_64/appstream/debug',
'content/dist/rhel8/8.9/x86_64/appstream/os',
'content/dist/rhel8/8.9/x86_64/appstream/source/SRPMS',
'content/dist/rhel8/8/aarch64/appstream/debug',
'content/dist/rhel8/8/aarch64/appstream/os',
'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',
'content/dist/rhel8/8/ppc64le/appstream/debug',
'content/dist/rhel8/8/ppc64le/appstream/os',
'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',
'content/dist/rhel8/8/s390x/appstream/debug',
'content/dist/rhel8/8/s390x/appstream/os',
'content/dist/rhel8/8/s390x/appstream/source/SRPMS',
'content/dist/rhel8/8/x86_64/appstream/debug',
'content/dist/rhel8/8/x86_64/appstream/os',
'content/dist/rhel8/8/x86_64/appstream/source/SRPMS'
],
'pkgs': [
{'reference':'babel-2.5.1-10.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-nose-docs-1.3.7-31.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-psycopg2-doc-2.7.5-8.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-sqlalchemy-doc-1.3.2-2.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-2.7.18-17.module+el8.10.0+20822+a15ec22d', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-attrs-17.4.0-10.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-babel-2.5.1-10.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-backports-1.0-16.module+el8.9.0+18326+1b5baeee', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-backports-ssl_match_hostname-3.5.0.1-12.module+el8.9.0+18326+1b5baeee', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-bson-3.7.0-1.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-chardet-3.0.4-10.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-coverage-4.5.1-5.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-Cython-0.28.1-7.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-debug-2.7.18-17.module+el8.10.0+20822+a15ec22d', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-devel-2.7.18-17.module+el8.10.0+20822+a15ec22d', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-dns-1.15.0-10.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-docs-2.7.16-2.module+el8.9.0+18326+1b5baeee', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-docs-info-2.7.16-2.module+el8.9.0+18326+1b5baeee', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-docutils-0.14-12.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-funcsigs-1.0.2-13.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-idna-2.5-7.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-ipaddress-1.0.18-6.module+el8.9.0+18326+1b5baeee', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-jinja2-2.10-10.module+el8.10.0+21290+abd5b761', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-libs-2.7.18-17.module+el8.10.0+20822+a15ec22d', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-lxml-4.2.3-6.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-markupsafe-0.23-19.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-mock-2.0.0-13.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-nose-1.3.7-31.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-numpy-1.14.2-16.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
{'reference':'python2-numpy-doc-1.14.2-16.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
{'reference':'python2-numpy-f2py-1.14.2-16.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
{'reference':'python2-pip-9.0.3-19.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-pip-wheel-9.0.3-19.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-pluggy-0.6.0-8.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-psycopg2-2.7.5-8.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-psycopg2-debug-2.7.5-8.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-psycopg2-tests-2.7.5-8.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-py-1.5.3-6.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-pygments-2.2.0-22.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-pymongo-3.7.0-1.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-pymongo-gridfs-3.7.0-1.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-PyMySQL-0.8.0-10.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-pysocks-1.6.8-6.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-pytest-3.4.2-13.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-pytest-mock-1.9.0-4.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-pytz-2017.2-13.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-pyyaml-3.12-16.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-requests-2.20.0-4.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-rpm-macros-3-38.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-scipy-1.0.0-22.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-setuptools-39.0.1-14.module+el8.10.0+20444+3bf7fee4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-setuptools-wheel-39.0.1-14.module+el8.10.0+20444+3bf7fee4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-setuptools_scm-1.15.7-6.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-six-1.11.0-6.module+el8.9.0+18326+1b5baeee', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-sqlalchemy-1.3.2-2.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-test-2.7.18-17.module+el8.10.0+20822+a15ec22d', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-tkinter-2.7.18-17.module+el8.10.0+20822+a15ec22d', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-tools-2.7.18-17.module+el8.10.0+20822+a15ec22d', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-urllib3-1.24.2-4.module+el8.10.0+20444+3bf7fee4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-virtualenv-15.1.0-22.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python2-wheel-0.31.1-3.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
{'reference':'python2-wheel-wheel-0.31.1-3.module+el8.9.0+19487+7dc18407', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}
]
}
]
};
var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:appstreams, appstreams:TRUE);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);
var module_ver = get_kb_item('Host/RedHat/appstream/python27');
if (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module python27:2.7');
if ('2.7' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module python27:' + module_ver);
var flag = 0;
var appstreams_found = 0;
foreach var module (keys(appstreams)) {
var appstream = NULL;
var appstream_name = NULL;
var appstream_version = NULL;
var appstream_split = split(module, sep:':', keep:FALSE);
if (!empty_or_null(appstream_split)) {
appstream_name = appstream_split[0];
appstream_version = appstream_split[1];
if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);
}
if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {
appstreams_found++;
foreach var module_array ( appstreams[module] ) {
var repo_relative_urls = NULL;
if (!empty_or_null(module_array['repo_relative_urls'])) repo_relative_urls = module_array['repo_relative_urls'];
foreach var package_array ( module_array['pkgs'] ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'RHEL' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
if (reference &&
_release &&
rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
(applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&
rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
}
}
if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module python27:2.7');
if (flag)
{
var extra = NULL;
if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
else extra = rpm_report_get();
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'babel / python-nose-docs / python-psycopg2-doc / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| redhat | enterprise_linux | python-mock | p-cpe:/a:redhat:enterprise_linux:python-mock |
| redhat | enterprise_linux | python2-backports | p-cpe:/a:redhat:enterprise_linux:python2-backports |
| redhat | enterprise_linux | python2-numpy-f2py | p-cpe:/a:redhat:enterprise_linux:python2-numpy-f2py |
| redhat | enterprise_linux | python2-markupsafe | p-cpe:/a:redhat:enterprise_linux:python2-markupsafe |
| redhat | enterprise_linux | python2-numpy-doc | p-cpe:/a:redhat:enterprise_linux:python2-numpy-doc |
| redhat | enterprise_linux | python2-pytz | p-cpe:/a:redhat:enterprise_linux:python2-pytz |
| redhat | enterprise_linux | python-setuptools_scm | p-cpe:/a:redhat:enterprise_linux:python-setuptools_scm |
| redhat | enterprise_linux | python2-psycopg2 | p-cpe:/a:redhat:enterprise_linux:python2-psycopg2 |
| redhat | enterprise_linux | python2-rpm-macros | p-cpe:/a:redhat:enterprise_linux:python2-rpm-macros |
| redhat | enterprise_linux | python2-docutils | p-cpe:/a:redhat:enterprise_linux:python2-docutils |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48560
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48565
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43804
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22195
www.nessus.org/u?23c12cdb
www.nessus.org/u?99ff6172
access.redhat.com/errata/RHSA-2024:2987
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=2158559
bugzilla.redhat.com/show_bug.cgi?id=2240059
bugzilla.redhat.com/show_bug.cgi?id=2242493
bugzilla.redhat.com/show_bug.cgi?id=2249755
bugzilla.redhat.com/show_bug.cgi?id=2257854
Related
osv
osv
Moderate: python27:2.7 security update
2024-05-22 00:00:00
CVE-2022-48565
2023-08-22 19:16:32
jinja2 - security update
2024-01-23 00:00:00
almalinux
almalinux
Moderate: python27:2.7 security update
2024-05-22 00:00:00
Moderate: python39:3.9 and python39-devel:3.9 security update
2024-05-22 00:00:00
Moderate: python-jinja2 security update
2024-04-30 00:00:00
oraclelinux
oraclelinux
python27:2.7 security update
2024-05-24 00:00:00
python39:3.9 and python39-devel:3.9 security update
2024-05-24 00:00:00
python-jinja2 security update
2024-05-02 00:00:00
redhat
redhat
(RHSA-2024:2987) Moderate: python27:2.7 security update
2024-05-22 06:35:16
(RHSA-2024:2348) Moderate: python-jinja2 security update
2024-04-30 06:15:27
(RHSA-2024:3102) Moderate: python-jinja2 security update
2024-05-22 06:35:37
nessus
nessus
EulerOS Virtualization 3.0.6.0 : python2 (EulerOS-SA-2024-1697)
2024-05-17 00:00:00
EulerOS 2.0 SP8 : python2 (EulerOS-SA-2024-1290)
2024-03-12 00:00:00
EulerOS 2.0 SP5 : python (EulerOS-SA-2024-1160)
2024-02-08 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for python2 (EulerOS-SA-2024-1697)
2024-05-17 00:00:00
Huawei EulerOS: Security Advisory for python2 (EulerOS-SA-2024-1290)
2024-03-12 00:00:00
Huawei EulerOS: Security Advisory for python (EulerOS-SA-2024-1160)
2024-02-09 00:00:00
github
github
fedora
fedora
[SECURITY] Fedora 39 Update: mingw-python-jinja2-3.1.3-1.fc39
2024-01-23 00:58:55
[SECURITY] Fedora 38 Update: python2.7-2.7.18-35.fc38
2023-10-21 01:29:59
[SECURITY] Fedora 37 Update: python2.7-2.7.18-35.fc37
2023-10-21 01:26:15
rocky
rocky
python39:3.9 and python39-devel:3.9 security update
2024-06-14 13:59:30
python-jinja2 security update
2024-06-14 13:59:30
python-setuptools security update
2023-02-22 01:08:44
cloudlinux
cloudlinux
python: Fix of CVE-2022-48565
2023-10-09 19:03:14
python: Fix of CVE-2022-48560
2023-10-23 22:53:27
prion
prion
ubuntu
ubuntu
Python vulnerability
2023-09-07 00:00:00
Python vulnerability
2023-10-17 00:00:00
Python vulnerability
2023-09-21 00:00:00
amazon
amazon
Medium: python3-jinja2
2024-02-01 19:57:00
Important: python3
2023-10-25 21:40:00
Important: python
2023-10-30 23:59:00
cbl_mariner
cbl_mariner
redhatcve
redhatcve
cgr
cgr
CVE-2024-22195 vulnerabilities
2024-05-19 03:07:16
cve
cve
ubuntucve
ubuntucve
debiancve
debiancve
cvelist
cvelist
CVE-2022-48565
2023-08-22 00:00:00
CVE-2024-22195 Jinja vulnerable to Cross-Site Scripting (XSS)
2024-01-11 02:25:44
CVE-2022-48560
2023-08-22 00:00:00
nvd
nvd
veracode
veracode
XML External Entity (XXE)
2023-08-30 22:31:01
Denial Of Service (DoS)
2023-10-09 01:43:02
Cross Site Scripting (XSS)
2024-01-12 10:04:04
f5
f5
K000138629 : Python vulnerability CVE-2022-48560
2024-02-15 00:00:00
debian
debian
[SECURITY] [DLA 3614-1] python3.7 security update
2023-10-11 19:33:59
[SECURITY] [DLA 3715-1] jinja2 security update
2024-01-23 17:31:34
wolfi
wolfi
CVE-2024-22195 vulnerabilities
2024-06-16 21:08:17
freebsd
freebsd
py39-setuptools58 -- denial of service vulnerability
2022-12-23 00:00:00
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.5 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
77.5%
Related for REDHAT-RHSA-2024-2987.NASL